Hacker Or Military? Best Of Both In Cyber Security

How radically different approaches play out across the security industry.

Three things happened to me before BlackHat 2014 to bring the entire NSA / Edward Snowden drama back to the forefront. The media reminded us of the one-year anniversary of the original Snowden leaks. At the same time, I saw newly retired General Keith Alexander deliver a keynote at the Gartner Security and Privacy Summit where he provided an in-depth post-NSA speech, benefiting from several months of civilian life under his belt.

In June, I also hiked to the summit of Mount Snowdon in North Wales after speaking at AppSec EU in Cambridge, UK. The spelling is different, but I could not help but loop “Snowden/Snowdon” in my mind a thousand times on the way up and down the mountain. I could only shake my head…

Much has been written about the Snowden affair, including some of my own thoughts about the impact on the security community. I also had some tongue-in-cheek fun at Black Hat 2013, when General Alexander delivered his memorable speech. Black Hat 2013 showed me how differently members of the security community reacted to General Alexander: A third of the way through the General’s speech, the ex-hacker sitting next to me, dressed in jeans and a black t-shirt with a clever security quote, stood up and shouted “Bulls$*#!” He effectively scared the aforementioned expletive out of me and sent all eyes our way.

General Keith Alexander at Black Hat 2013

I’m an ex-Air Force intel officer who was fortunate enough to serve in the original Air Force Computer Emergency Center in the mid-90s. I have known that there is a difference between ex-military and ex-hackers. Yet for my entire security career, I’ve worked very closely with friends who have come up via the other side of the house. I learned there was a difference when I attended my first DEF CON in the late 90s with an ex-hacker consultant friend. He knew everybody there; I knew no one. In 2000, the DEF CON crowd loved it when I was “spotted” and dragged on stage to be interrogated by Priest.

How are ex-military and ex-hackers different? For starters, security guys with a military background are more likely to have a “traditional career.” This typically includes a degree from a four-year university, a series of jobs with certifications, and formal recognition that one would expect from a military person.

Hackers might have an opaque history, particularly for some, before they turned 18 (I learned a long time ago not to probe). They have handles, the military guys don’t. They learned in informal and unstructured ways, but are likely to be more technical than their ex-military counterparts. They largely disdain security certifications, and rarely do you see them making special efforts to test for the CISSP exam. If they do become a CISSP, they likely won’t put it on their business cards, if they have them (ex-military guys always do).

Vive la différence! Never bound by constraints, a hacker’s approach to security testing is more likely to be spontaneous and free flowing. The classic penetration test is a prime example reflecting this hacker ethos. There are many ways to get to root access, and penetration testing is unconcerned with how you get there, as long as you get there.

Military guys, on the other hand, are likely more comfortable with traditional risk assessments that attempt to methodically capture all obvious risks. This follows more of a checklist-mentality with objectives, formalized testing methodology, and up-front training of consultants for consistent results. These two approaches play out across the industry; the sophisticated security person knows they both have their place and knows the difference between the two.

Military security guys have held the highest clearances and believe the world is a dangerous place full of bad people who do not like us. Hence, the benefit of the doubt for NSA is given, for example. They might view the world through a good-guy/bad-guy lens, and feel less comfortable with talking to gray- or black-hatters who actually might have great threat information about zero days or the security of their own organizations.

Ex-hackers, however, have no problem engaging members of the underground community. They were once part of that community, in certain instances. So hackers are likely to have access to information that ex-military security folks don’t have.

There are countless examples of the differences between security guys from the hacker and military worlds. And, yes, generalization are still generalizations. At conferences like Black Hat, DEF CON, and B-Sides we see these characteristics in stark contrast. However, a savvy security practitioner understands that while there may be differences, we can put them to work on behalf of our organizations and, most importantly, the greater good.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio

Broken every single one of your stereotypes except the college one, although I have ex-hacker colleagues that even defy that one. Wouldn't label myself as a non-military type (even though I've never been in any military) and wouldn't label myself as an ex-hacker type (even though many of my colleagues who are ex hackers would classify me as such).

It's important to live in both of these worlds for all of the spectrums of these personality types. We do have a common operational picture and a common enemy after all. I'd like to hear about more people like myself who break stereotypes almost categorically.

So the question remains... who will make the better leader? My bet is not on the current Whitehouse cyber czar or Jeff Moss. The best leader in cyber will be an Eisenhower, and his or her trusted advisors will be younger Scot Terbans and Ali-Reza Anghaies.

I have also see professional civilians that just didn't understand that there was no I in team and didn't get along with anyone... at all!

If there were any common source of friction betwen ex-military and non-ex-military, it would be where planning efforts runs into innovation and creativity.

Military doctrine almost always requires that planning take place at all time for all missions as much as possible. Planning is central to classic strategic and tactical efforts with the goal of completion of a mission while mitigating loss and optimizing results with limited resources.

Creativity on the other hand requires the "blank sheet of endless paper" mentality where the only plan, if there is one, is to accomplish some kind of a goal. Even the goal can be nebulus in that the creativity could be along the lines of "let us see what happens when we do this." For military thinking, this is not a common practice unless it is encapsulated in a safe and predictable shell. When working with tools and resources that can kill people, this is not a bad thing!

When both mindsets do come together with a common goal and genuine respect and understanding of the strengths and weaknesses of both sides of the fence, the results can be quite brilliant. Example: DARPA.

A few years ago, I was engaged in a Red Team project that involved several professional pen testers. If I recall, there were 9 people on the team. It was a dream job for me because I had been given a chance to be on this team. The team lead was more of a project manager with a background in pen testing. A very organized and talented individual I would work for anyday. Heck, the entire team was awesome.

One day, the team lead scheduled a meeting for us to get together to discuss some details of the project we were currently focused on. The time of the meeting was at 1300 hrs (1PM for you non-ex-military types).

Four others and myself showed up 5 to 15 minutes early.

The team lead showed up about 2 minutes before the meeting start. Pleasantly pleased to see some of the team there before he was.

The rest of the team showed up later... anywhere from 10 to 30 minutes later. The team lead said little other than "glad you could make it" and "we were just talking about...". No facial expressions or body language of any negative sense was given.

The meeting progressed for awhile, some planning issues resolved, and everything moving along in the discussions. We began to run close on time for the room we were in.

As the meeting was wrapping up, the team lead diverged from the discussion for a few moments.

He asked for hands in the air for those in the room who were ex-military. All of us early birds raised our hands. The other guys smirked a little. The team lead then said that if anyone is late, it was highly recommended they bring coffees or donuts for everyone. The smirks disappeared. It was obvious he was not pleased with the late shows. He was smiling, but his countenance was not.

Nobody was late to any of his meetings again. As I recall, the team lead also always brought donuts to the meetings regardless of his timing. Always mixed variety, always first come, first serve on selection.

The team lead was not prior military, but he was the boss.Big career hint regardless of background: Always never have your boss waiting on you.

Great article. I think many people forget that when it comes to IT security, there are definitely different approaches when it comes to how folks become involved in the community. And with that, you clearly illustrate why we need both types of security folks, traditional, formally-learned and those who are more self-taught. Unfortunately, in a lot of areas, these two types have strong stereotypes and those from the hacker community still have a bit of a "bad guy" type of image associated with them, despite their high desireability in the security industry. Will these stereotypes change? Probably not, but hopefully articles like this will help illustrate why both sides are legitimate sources for security expertise.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.